This project provides instructions to configure the JupiterOne AWS integration. JupiterOne assumes an IAM Role in the target account that has been granted permission to read information from AWS services supported by JupiterOne. Configuring the IAM Role can be accomplished using one of the following methods:
- Launch JupiterOne IAM CloudFormation Stack using the AWS CLI
- Create a Role using the AWS Management Console
JupiterOne is also capable of processing CloudTrail events. Sending them to JupiterOne's AWS account requires an EventBridge event rule, which can be configured using one of the following methods:
- Launch JupiterOne EventBridge CloudFormation Stack using the AWS CLI
- Create an EventBridge Rule using the AWS Management Console
JupiterOne currently supports the following services:
- AccessAnalyzer
- ACM
- API Gateway
- API Gateway v1
- API Gateway v2
- Autoscaling
- Backup
- Batch
- CloudFormation
- CloudFront
- CloudHSM
- CloudTrail
- CloudWatch
- CloudWatch Alarms
- CloudWatch Events
- CloudWatch Logs
- CodeBuild
- CodeCommit
- CodePipeline
- Config
- DirectConnect
- DynamoDB
- EC2
- ECR
- ECS
- EFS
- EKS
- ElastiCache
- ELB
- EMR
- ES
- Firehose
- Firewall Manager
- Global Accelerator
- Glue
- GuardDuty
- IAM (including IAM Policy analysis)
- Inspector
- Inspector2
- Kinesis
- KMS
- Lambda
- Lex v2
- Macie 2
- Network Firewall
- Organizations
- RDS
- Redshift
- Redshift Serverless
- Route53
- Route53 Domains
- S3 (including Bucket Policy analysis)
- S3 Glacier
- Secrets Manager
- SES
- Shield
- SNS
- SQS
- SSM
- Transfer
- VPC (including VPC Peering)
- WAF
- WAF v2
- Workspaces
For detailed and specific permissions, see "Specific Permissions Policy" section below.
The SecurityAudit AWS-managed IAM policy covers many permissions used by
JupiterOne and simplifies administration as support for more services is added.
However, there are additional permissions, not
covered by SecurityAudit, necessary to allow JupiterOne to ingest more
information, enabling the platform to provide even more value.
Each of the configuration methods recommends and assumes the use of the
SecurityAudit managed policy, though you may decide to build out a single
policy based on the information provided here.
In case you don't mind the maintenance work and would prefer to update a hand-crafted policy, an exact policy that includes specific permissions is also provided.
Link to Additional Permissions Policy
This policy may be used to provide only exactly the specific permissions currently used by JupiterOne. Using this policy will most certainly require you to update the policy in the future as more APIs are called by JupiterOne.
NOTE: By default, AWS enforces a policy size limit of 6,144 non-whitespace characters. The policy below has been split into multiple statements to stay under the 6,144 non-whitespace character limit. If you have requested a quote increase from AWS, you may be able to consolidate these policies.
Link to Specific Permissions Policy
aws cloudformation create-stack --stack-name JupiterOneIntegration --capabilities CAPABILITY_NAMED_IAM --template-url https://s3.amazonaws.com/jupiterone-prod-us-aws-cloudformation-templates/cloudformation.jsonFrom your AWS Management Console, perform the following steps:
-
Go to IAM > Roles and click Create Role.
-
Select Another AWS account under Select type of trusted entity.
-
Enter the following Account ID:
<jupiterone_account_id> -
Select Require external ID and enter the following External ID:
<jupiterone_external_id> -
Leave Require MFA unchecked and click Next: Permissions.
-
Click Create Policy, select the JSON tab, and enter the document content found here: Link to Additional Permissions Policy
-
Click Review Policy and verify the permissions.
-
Enter
JupiterOneSecurityAuditas the Name and click Create Policy. -
Return to the Create Role tab in your browser. Click the Policy table's Refresh Icon.
-
In the Policy search box, search for
SecurityAudit. Select bothSecurityAuditandJupiterOneSecurityAuditpolicies. SecurityAudit is an AWS-managed IAM policy. -
With both policies selected, click Next: Review.
-
Enter
JupiterOneas the Role Name, and optionally, enter a description for the Role. -
Click Create Role.
-
In the list of Roles, search for and select the newly created
JupiterOnerole, and copy the Role ARN. It should be in a format that looks likearn:aws:iam::<your_aws_account_id>:role/JupiterOne.
JupiterOne currently supports the following events:
| Event Name | Modified Entities _type |
Modified Relationships _type |
|---|---|---|
| CreateBucket | aws_s3_bucket |
|
| PutBucketAcl | aws_s3_bucket |
aws_s3_bucket_grant |
| PutBucketEncryption | aws_s3_bucket |
|
| DeleteBucketEncryption | aws_s3_bucket |
|
| PutBucketInventoryConfiguration | aws_s3_bucket |
aws_s3_bucket_publishes_inventory_report |
| PutBucketLifecycle | aws_s3_bucket |
|
| PutBucketLogging | aws_s3_bucket |
|
| PutBucketPolicy | aws_s3_bucket_policy |
aws_s3_bucket_has_policy |
| PutBucketReplication | aws_s3_bucket |
|
| PutBucketTagging | aws_s3_bucket |
|
| PutBucketVersioning | aws_s3_bucket |
|
| PutObjectLockConfiguration | aws_s3_bucket |
|
| PutPublicAccessBlock | aws_s3_bucket |
| Event Name | Modified Entities _type |
Modified Relationships _type |
|---|---|---|
| CreateAccessKey | aws_iam_access_key |
|
| CreateGroup | aws_iam_group |
|
| CreatePolicy | aws_iam_policy |
|
| CreateRole | aws_iam_role |
|
| CreateUser | aws_iam_user |
| Event Name | Modified Entities _type |
Modified Relationships _type |
|---|---|---|
| RunInstances | aws_instance |
aws_ec2_has_aws_instance aws_instance_uses_ami aws_instance_uses_key_pair aws_instance_uses_eni aws_resource_has_security_group aws_security_group_protects_resource aws_subnet_has_instance |
| StartInstances | aws_instance |
|
| StopInstances | aws_instance |
|
| TerminateInstances | aws_instance |
|
| ModifyInstanceAttribute | aws_instance |
aws_resource_has_security_group aws_security_group_protects_resource |
| CreateFleet | aws_instance |
aws_ec2_has_aws_instance aws_instance_uses_ami aws_instance_uses_key_pair aws_instance_uses_eni aws_resource_has_security_group aws_security_group_protects_resource aws_subnet_has_instance |
| CreateSecurityGroup | aws_security_group |
aws_ec2_has_aws_security_group |
| DeleteSecurityGroup | aws_security_group |
|
| AuthorizeSecurityGroupIngress | aws_security_group_rule |
|
| RevokeSecurityGroupIngress | aws_security_group_rule |
|
| AuthorizeSecurityGroupEgress | aws_security_group_rule |
|
| RevokeSecurityGroupEgress | aws_security_group_rule |
|
| CreateImage | aws_ami |
aws_ami_contains_snapshot |
| RegisterImage | aws_ami |
aws_ami_contains_snapshot |
| ModifyImageAttribute | aws_ami |
|
| DeregisterImage | aws_ami |
|
| CreateSnapshot | aws_ebs_snapshot |
aws_ebs_volume_snapshot |
| CreateSnapshots | aws_ebs_snapshot |
aws_ebs_volume_snapshot |
| ModifySnapshotAttribute | aws_ebs_snapshot |
|
| DeleteSnapshot | aws_ebs_snapshot |
| Event Name | Modified Entities _type |
Modified Relationships _type |
|---|---|---|
| CreateLoadBalancer | aws_alb aws_elb aws_nlb |
aws_elasticloadbalancing_has_aws_alb aws_elasticloadbalancing_has_aws_elb aws_elasticloadbalancing_has_aws_nlb aws_vpc_has_load_balancer aws_resource_has_security_group aws_security_group_protects_resource |
| CreateListener | aws_lb_listener |
aws_load_balancer_has_listener aws_lb_listener_uses_acm_certificate aws_lb_listener_uses_iam_server_certificate |
| CreateTargetGroup | aws_lb_target_group |
aws_load_balancer_connects_target_group |
| CreateRule | aws_lb_listener_rule |
aws_lb_listener_has_rule |
| SetSecurityGroups | aws_resource_has_security_group aws_security_group_protects_resource |
|
| RegisterTargets | aws_load_balancer_connects_target_group |
| Event Name | Modified Entities _type |
Modified Relationships _type |
|---|---|---|
| CreateAutoScalingGroup | aws_autoscaling_group |
aws_autoscaling_has_aws_autoscaling_group aws_autoscaling_group_uses_launch_template aws_autoscaling_group_has_instance aws_autoscaling_group_uses_launch_config aws_autoscaling_group_uses_policy |
| UpdateAutoScalingGroup | aws_autoscaling_group |
|
| DeleteAutoScalingGroup | aws_autoscaling_group |
| Event Name | Modified Entities _type |
Modified Relationships |
|---|---|---|
| CreateDBInstance | aws_db_instance |
aws_rds_has_aws_db_instance aws_rds_cluster_contains_instance aws_rds_parameter_group_in_use aws_security_group_protects_resource aws_resource_has_security_group aws_resource_uses_kms_key aws_vpc_has_db_instance aws_db_instance_uses_secret aws_db_instance_uses_option_group |
| ModifyDBInstance | aws_db_instance |
aws_rds_has_aws_db_instance aws_rds_cluster_contains_instance aws_rds_parameter_group_in_use aws_security_group_protects_resource aws_resource_has_security_group aws_resource_uses_kms_key aws_vpc_has_db_instance aws_db_instance_uses_secret aws_db_instance_uses_option_group |
| StartDBInstance | aws_db_instance |
|
| StopDBInstance | aws_db_instance |
|
| DeleteDBInstance | aws_db_instance |
|
| CreateDBCluster | aws_rds_cluster |
aws_rds_has_aws_rds_cluster aws_rds_parameter_group_in_use aws_security_group_protects_resource aws_resource_has_security_group aws_resource_uses_kms_key |
| ModifyDBCluster | aws_rds_cluster |
aws_rds_has_aws_rds_cluster aws_rds_parameter_group_in_use aws_security_group_protects_resource aws_resource_has_security_group aws_resource_uses_kms_key |
| StartDBCluster | aws_rds_cluster |
|
| StopDBCluster | aws_rds_cluster |
|
| DeleteDBCluster | aws_rds_cluster |
|
| CreateDBSnapshot | aws_db_snapshot |
aws_db_instance_has_snapshot aws_db_snapshot_uses_kms_key |
| DeleteDBSnapshot | aws_db_snapshot |
|
| CreateDBClusterSnapshot | aws_db_cluster_snapshot |
aws_db_cluster_has_snapshot aws_db_cluster_snapshot_uses_kms_key |
| DeleteDBClusterSnapshot | aws_db_cluster_snapshot |
| Event Name | Modified Entities _type |
Modified Relationships _type |
|---|---|---|
| CreateCluster | aws_redshift_cluster |
aws_redshift_has_aws_redshift_cluster aws_redshift_cluster_uses_parameter_group aws_security_group_protects_resource aws_resource_has_security_group aws_resource_uses_kms_key aws_vpc_has_redshift_cluster |
| ModifyCluster | aws_redshift_cluster |
aws_redshift_has_aws_redshift_cluster aws_redshift_cluster_uses_parameter_group aws_security_group_protects_resource aws_resource_has_security_group aws_resource_uses_kms_key aws_vpc_has_redshift_cluster |
| DeleteCluster | aws_redshift_cluster |
aws cloudformation create-stack --stack-name JupiterOneIntegrationEvents --template-url https://s3.amazonaws.com/jupiterone-prod-us-aws-cloudformation-templates/events-cloudformation.jsonFrom your AWS Management Console, perform the following steps:
-
Go to Amazon EventBridge > Rules and, with the default event bus selected, click Create rule.
-
Enter the following values:
- Name:
jupiterone-cloudtrail-events - Description:
Send CloudTrail Events to JupiterOne
- Name:
-
In the Define pattern section, select Event pattern and then Custom pattern. Copy the
Resources.JupiterOneCloudTrailEventsRule.Properties.EventPatternobject fromcloudformation/events/cloudformation-template.json(Link to EventBridge CloudFormation) into the text field. It should look something like this:{ "source": ["aws.s3", "aws.iam", "aws.ec2", "...more sources..."], "detail-type": ["AWS API Call via CloudTrail"], "detail": { "eventSource": [ "s3.amazonaws.com", "iam.amazonaws.com", "ec2.amazonaws.com", "...more sources..." ], "eventName": ["...event names here..."] } } -
In the Select targets section, select Event bus in another AWS account. For the Event Bus field, enter
arn:aws:events:us-east-1:612791702201:event-bus/jupiter-integration-aws. For the role, select Create a new role for this specific resource.The role should have be created with a policy which looks like:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": ["events:PutEvents"], "Resource": [ "arn:aws:events:<TARGET AWS REGION>:<JUPITERONE ACCOUNT ID>:event-bus/jupiter-integration-aws" ] } ] }and a trust relationship which looks like:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "events.amazonaws.com" }, "Action": "sts:AssumeRole" } ] } -
Click Create.